Systems and methods for preventing remote attacks against transportation systems

ABSTRACT

Systems and methods are provided to implement moving target defense techniques for transportation systems. The moving target defense techniques can randomly change the IP addresses of the nodes associated with both the vehicles and the corresponding control centers. The nodes for the vehicles and the control centers can be “mobile” nodes that use a “care-of” IP address for communications. The care-of address used by the nodes can be updated through a binding update process. During the binding update process, the one node sends the binding update notice (with a new care-of address) to the care-of address of the other node while maintaining its prior care-of address. The node that receives the binding update notice can send a binding acknowledgement back to the node that sent the binding update. Once the binding acknowledgement is received, the prior care-of address can be removed by the node that sent the binding update.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.15/461,099, entitled “Systems and Methods for Preventing Remote AttacksAgainst Transportation Systems” and filed on Mar. 16, 2017, which claimsthe benefit of U.S. Provisional Application No. 62/338,665, entitled“Moving Target Defense Systems and Methods” and filed on May 19, 2016,both of which applications are hereby incorporated by reference in theirentirety.

BACKGROUND

The present application generally relates to system and methods forpreventing attacks against a transportation system using the Internetfor communications. Specifically, the present application is direct topreventing attacks against an aircraft avionics system and correspondingground station by dynamically changing the IP (Internet Protocol)addresses used by both the aircraft avionics system and the groundstation.

Computer technology is being used in many modern transportation systemsfor vehicles, trains and airplanes. The computer technology used with atransportation system can be susceptible to similar kinds ofvulnerabilities and security problems found in networked computers. Onetype of transportation system can incorporate an aircraft avionicssystem that is used by many airplanes and/or aircraft to assist thepilot and other personnel with the operation of the aircraft.

Some aircraft avionics systems can be connected to the Internet via oneor more satellites. The avionics systems can also include a Wi-Fipassenger network component as well as aircraft critical components suchas control systems, flight safety systems and navigation systems. Sincethe aircraft uses a single avionics system, the critical components ofthe avionics system may be accessible through the passenger Wi-Finetwork and/or via the Internet. Thus, an attacker may be able to obtainunauthorized access and control of the critical components (e.g., thenavigation system) of the avionics system either remotely or fromon-board the aircraft.

Some techniques used to prevent or limit attacks on an avionics systemscan include isolating the critical components of the avionics systemthrough the use of firewalls and intrusion detection and preventionsystems, requiring pilot involvement before permitting changes to thecritical components of the avionics system, and attempting to keep thedesign and technology of the avionics system secret. However, none ofthese techniques can prevent all attacks and some of the techniques mayeven be inoperable or problematic when the avionics system has toincorporate an uninterruptable autopilot system for emergencysituations. An uninterruptable autopilot system, when engaged, isconnected via satellite to air traffic control and one or moreauthorized remote entities and prevents anyone on-board the aircraftfrom controlling the aircraft. One drawback to the use of anuninterruptable autopilot system is the potential for an attacker toaccess and control the aircraft's avionics system and uninterruptableautopilot system.

SUMMARY

The present application generally pertains to moving target defensesystems and methods for critical systems such as aircraft avionicssystems and corresponding ground stations. The moving target defensesystems and methods can randomly change the IP addresses used by boththe aircraft avionics system and the ground station. The aircraftavionics system and the ground station can each be a “mobile” node thatuses a “care-of” IP address for communications. The care-of address foreach of the aircraft avionics system and the ground station can bechanged at a predefined interval. The care-of address used for theaircraft avionics system or the ground station, which can be referred toas peer nodes, can be updated through a binding update process. Duringthe binding update process, the one peer node sends the binding updatenotice (with a new care-of address) to the care-of address of the otherpeer node while maintaining its prior care-of address. The peer nodethat receives the binding update notice can send a bindingacknowledgement back to the peer node that sent the binding updatenotice. Once the binding acknowledgement is received, the prior care-ofaddress can be removed by the peer node that sent the binding updatenotice.

One advantage of the present application is the elimination of packetlosses during IP address changes.

Another advantage of the present application is that the networkprotocol does not have to be modified.

Still another advantage of the present application is that attackers mayhave difficulty identifying the IP addresses of the aircraft avionicssystem and ground station.

Other features and advantages of the present application will beapparent from the following more detailed description of the identifiedembodiments, taken in conjunction with the accompanying drawings whichshow, by way of example, the principles of the application.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of an embodiment of a computer network.

FIG. 2 shows a block diagram of an aircraft computer from the computernetwork of FIG. 1.

FIG. 3 shows a block diagram of a ground station computer from thecomputer network of FIG. 1.

FIG. 4 is a process diagram showing an embodiment for changing the IPaddress of the aircraft computer or the ground station computer from thecomputer network of FIG. 1.

FIG. 5 is a graph showing the amount of data sent versus time duringexecutions of the process of FIG. 4.

Wherever possible, the same reference numbers are used throughout thedrawings to refer to the same or like parts.

DETAILED DESCRIPTION

The present application generally pertains to systems and methods forpreventing a remote attack against the nodes (or computers) of atransportation system that communicates using the Internet. Thetransportation system can include one or more vehicles (e.g., aircraft,trains, buses, etc.) incorporating computerized control systems (e.g.,aircraft avionics systems, train control systems, etc.) that communicatewith corresponding control centers or ground stations (e.g., an airportcontrol tower, train dispatcher's office, etc.) via the Internet. Thepresent application uses moving target defense techniques for the nodes(e.g., the vehicle computer systems and the control center computersystems) of the transportation system to provide the nodes withdynamically changing IP addresses. Thus, the source and destinationaddresses used in packets exchanged by the nodes can both be dynamic IPaddresses.

The moving target defense system and methods can dynamically change thecare-of address of the nodes (e.g., the vehicle computer systems and thecontrol center computer systems), effectively making the nodes mobilenodes, even though a node may not actually be mobile. A predeterminedshuffling interval can be used to determine when to change the care-ofaddress. In addition, to avoid dropping packets when changing thecare-of address of a node, the node changing addresses stores a copy ofits prior address in memory and is able to receive packets addressedwith the prior address while informing the other nodes of its newaddress. Once the node changing addresses has received acknowledgementsfrom the other nodes indicating that the other nodes have received thenew address, the node changing addresses can delete the prior addressfrom memory and only receive packets addressed with the new address.

The present application is described in the context of an aircraftavionics system communicating with a ground station, but it is to beunderstood that the present application can be used in anytransportation system that uses the Internet for communication betweenthe nodes of the transportation system.

FIG. 1 shows an embodiment of a computer network 10. The network 10provides for communication between an aircraft 11 and a correspondingground station 21 via network 20. An aircraft computer 12 of theaircraft 11 is communicatively coupled to the network 20 by a router 16to exchange, i.e., send and receive, instructions, data and/orinformation with a ground station computer 24. The ground stationcomputer 24 of the ground station 21 can be communicatively coupled tothe network 20 by a router 22 to exchange, i.e., send and receive,instructions, data and/or information with the aircraft computer 12.

The aircraft computer 12 can be coupled to the router 16 by a firewall14 and the router 16 can be coupled to network 20 to provide acommunication path from the aircraft computer 12 to the network 20. Thefirewall 14 can be used to limit traffic to the aircraft computer 12. Apassenger Wi-Fi network 18 can also be coupled to the router 16 and usedto provide wireless broadband services to the passengers of the aircraft11. The ground station computer 24 can be coupled to the router 22 andthe router 22 can be coupled to the network 20 to provide acommunication path from the ground station computer 24 to the network20. In other embodiments, one or more of the aircraft computer 12 andthe ground station computer 24 may be coupled directly to network 20without using a router. In an embodiment, the network 20 can be theInternet and use the transmission control protocol/Internet protocol(TCP/IP) to communicate over the network 20. Due to the potentiallylarge distances between the aircraft 11 and the ground station 21, thenetwork 20 can incorporate one or more satellites (not shown) tofacilitate communication between the aircraft 11 and the ground station21 in some embodiments.

FIG. 2 depicts an embodiment of the aircraft computer 12. The aircraftcomputer 12 may include any device(s) capable of processing andcommunicating data, such as embedded computers (e.g., applicationspecific standard processors (ASSPs), systems-on-chips (SoCs), or singleboard computers (SBCs)), real-time computers, programmable logiccontrollers (PLC) or Human Machine Interfaces (HMI) of SupervisoryControl And Data Acquisition (SCADA) systems. The aircraft computer 12has an operating system 25 for generally controlling the operation ofthe aircraft computer 12. The aircraft computer 12 also has MTD (movingtarget defense) logic 23 that operates in conjunction with the operatingsystem 25 to control the IP (Internet protocol) addresses used by theaircraft computer 12 when communicating over network 20. The MTD logic23 can use random IP addresses generated by the IP address generator 27.The aircraft computer 12 can have an avionics control system 26 that canbe used to control operation of the aircraft 11 and can provide servicessuch as flight control, navigation, collision detection and any othersuitable operational control. The operating system 25, MTD logic 23,avionics control system 26 and IP address generator 27 can beimplemented in software, hardware, firmware or any combination thereof.In the aircraft computer 12 shown by FIG. 2, the operating system 25,MTD logic 23, avionics control system 26 and IP address generator 27 canbe implemented in software and stored in memory 29. Note that theoperating system 25, MTD logic 23, avionics control system 26 and IPaddress generator 27, when implemented in software, can be stored andtransported on any computer-readable medium for use by or in connectionwith an instruction execution apparatus that can fetch and executeinstructions.

The aircraft computer 12 has at least one conventional processingelement 31, which has processing hardware for executing instructionsstored in memory 29. As an example, the processing element 31 mayinclude a central processing unit (CPU) or a digital signal processor(DSP). The processing element 31 communicates to and drives the otherelements within the aircraft computer 12 via a local interface 33, whichcan include at least one bus. Furthermore, an input interface 35, forexample, a keypad, keyboard or a mouse, can be used to input data from auser of the aircraft computer 12, and an output interface 37, forexample, a printer, monitor, liquid crystal display (LCD), or otherdisplay apparatus, can be used to output data to the user. Further, acommunication interface 39, such as at least one modem, may be used tocommunicate with the router 16 (via firewall 14) and/or network 20.

The aircraft computer 12 can also include a binding cache 28 and abinding update list 30 stored in memory 29. The binding cache 28 canstore binding information relating to nodes or computers that mayreceive packets from the aircraft computer 12. The binding update list30 can store binding information relating to the binding updates sent bythe aircraft computer 12. In one embodiment, the first entries in thebinding cache 28 and the binding update list 30 can be set manually inthe aircraft computer 12 in a system initialization step.

FIG. 3 depicts an embodiment of the ground station computer 24. Theground station computer 24 may include any device(s) capable ofprocessing and communicating data, such as embedded computers (e.g.,application specific standard processors (ASSPs), systems-on-chips(SoCs), or single board computers (SBCs)), real-time computers,programmable logic controllers (PLC) or Human Machine Interfaces (HMI)of Supervisory Control And Data Acquisition (SCADA) system. The groundstation computer 24 has an operating system 75 for generally controllingthe operation of the ground station computer 24. The ground stationcomputer 24 also has MTD (moving target defense) logic 73 that operatesin conjunction with the operating system 75 to control the IP (Internetprotocol) addresses used by the ground station computer 24 whencommunicating over network 20. The MTD logic 73 can use random IPaddresses generated by the IP address generator 77. The ground stationcomputer 24 has an air traffic control system 76 that can be used tocontrol the flight paths of the aircraft 11 near the ground station 21.The operating system 75, MTD logic 73, air traffic control system 76 andIP address generator 77 can be implemented in software, hardware,firmware or any combination thereof. In the ground station computer 24shown by FIG. 3, the operating system 75, MTD logic 73, air trafficcontrol system 76 and IP address generator 77 can be implemented insoftware and stored in memory 79. Note that the operating system 75, MTDlogic 73, air traffic control system 76 and IP address generator 77,when implemented in software, can be stored and transported on anycomputer-readable medium for use by or in connection with an instructionexecution apparatus that can fetch and execute instructions.

The ground station computer 24 has at least one conventional processingelement 81, which has processing hardware for executing instructionsstored in memory 79. As an example, the processing element 81 mayinclude a central processing unit (CPU) or a digital signal processor(DSP). The processing element 81 communicates to and drives the otherelements within the ground station computer 24 via a local interface 83,which can include at least one bus. Furthermore, an input interface 85,for example, a keypad, keyboard or a mouse, can be used to input datafrom a user of the ground station computer 24, and an output interface87, for example, a printer, monitor, liquid crystal display (LCD), orother display apparatus, can be used to output data to the user.Further, a communication interface 89, such as at least one modem, maybe used to communicate with the router 22 and/or network 20.

The ground station computer 24 can also include a binding cache 78 and abinding update list 80 stored in memory 79. The binding cache 78 canstore binding information relating to nodes or computers that mayreceive packets from the ground station computer 24. The binding updatelist 80 can store binding information relating to the binding updatessent by the ground station computer 24. In one embodiment, the firstentries in the binding cache 78 and the binding update list 80 can beset manually in the ground station computer 24 in a systeminitialization step.

The MTD logic 23, 73 used in both the aircraft computer 12 and theground station computer 24 can be used to prevent remote attacks againstthe aircraft computer 12 and the ground station computer 24 by providingdynamic IP addresses for the aircraft computer 12 and the ground stationcomputer 24. In one embodiment, the MTD logic 23, 73 can be based onMobile IPv6 (Internet Protocol version 6). The MTD logic 23, 73 useshome addresses of the aircraft computer 12 and the ground stationcomputer 24 to be the permanent addresses of the aircraft computer 12and the ground station computer 24. The MTD logic 23, 73 uses care-ofaddresses of the aircraft computer 12 and the ground station computer 24to be the dynamic IP addresses provided to the peer computers (i.e., theother computers connected to the aircraft computer 12 or the groundstation computer 24) via network 20. Additional information regardingthe operation of the MTD logic 23, 73 and IP address generators 27, 77can be found in U.S. Provisional Application No. 62/338,665, entitled“Moving Target Defense Systems and Methods” and filed on May 19, 2016,which application is incorporated herein by reference in its entirety.

In one embodiment, the home addresses of the aircraft computer 12 andthe ground station computer 24 can be assigned an IP address that isdifferent from any possible care-of addresses that may be used by theaircraft computer 12 and the ground station computer 24. For example,the IP address of the home address for the aircraft computer 12 or theground station computer 24 can have a prefix that is different from asubnet received by the aircraft computer 12 or the ground stationcomputer 24 from a route advertisement message. By receiving a differentprefix in the route advertisement message, the aircraft computer 12 orthe ground station computer 24 can think it is in a foreign network andcan register a care-of address in the network.

For example, the care-of address for the aircraft computer 12 may use aportion of the IP address for the router 16 connected to the aircraftcomputer 12 and the home address would be assigned an address such thatthe portion of the IP address for the router 16 used in the care-ofaddress is not used for the home address. Similarly, the care-of addressfor the ground station computer 24 may use a portion of the IP addressfor the router 22 connected to the ground station computer 24 and thehome address would be assigned an address such that the portion of theIP address for the router 22 used in the care-of address is not used forthe home address.

Only the care-of address of the aircraft computer 12 is accessible bythe ground station computer 24 (or other peer computers) and only thecare-of address of the ground station computer 24 is accessible by theaircraft computer 12 (or other peer computers). The corresponding IPaddress generators 27, 77 can be used to dynamically rotate the care-ofaddress of the aircraft computer 12 and the ground station computer 24for the corresponding MTD logic 23, 73. The use of the home address asthe permanent address for the aircraft computer 12 and the groundstation computer 24 can provide transparency to applications operatingon the aircraft computer 12 and the ground station computer 24. Inaddition, since the aircraft computer 12 and the ground station computer24 can be connected to the network 18 via routers 16, 22, the homeaddresses are not accessible through the network 20. The only accessibleIP addresses of the aircraft computer 12 and the ground station computer24 are the care-of addresses which can be rotated randomly anddynamically.

The MTD logic 23, 73 (through Mobile IPv6) enables the peer computers tocache the binding of the aircraft computer's or the ground stationcomputer's permanent IP address (the home address) with its dynamic IPaddress (the care-of address) and then send any packets destined for theaircraft computer 12 or the ground station computer 24 directly to theaircraft computer 12 or the ground station computer 24 using the dynamicIP address. A binding update mechanism/process can be used to inform thepeer computers of changes to the dynamic IP address of the aircraftcomputer 12 or the ground station computer 24. The peer computers canuse the new dynamic IP address from the aircraft computer 12 or theground station computer 24 only after receiving the new address in abinding update message from the aircraft computer 12 or the groundstation computer 24, which has registered the new dynamic IP address.

As part of the registration process discussed above, the aircraftcomputer 12 or the ground station computer 24 is connected to network 20and the MTD logic 23, 73 with IP address generator 27, 77 can create acare-of address for the aircraft computer 12 or the ground stationcomputer 24, based on information received in a route advertisementmessage from the router 16, 22 connected to the aircraft computer 12 orthe ground station computer 24, using the stateless address autoconfiguration capability of IPv6. The MTD logic 23, 73 can then bind thecare-of address for the aircraft computer 12 or the ground stationcomputer 24 to the home address for the aircraft computer 12 or theground station computer 24. Once the binding of the home address and thecare-of address is complete, the aircraft computer 12 or the groundstation computer 24 are not accessible by the home address. Thus, a newpeer computer connecting to network 20 cannot have access to theaircraft computer 12 or the ground station computer 24 by the homeaddress of the aircraft computer 12 or the ground station computer 24.

The MTD logic 23, 73 can then start the route optimization process bysending a packet from the aircraft computer 12 or the ground stationcomputer 24 to each other peer computer using a static shared keymethod. The aircraft computer 12 or the ground station computer 24 cansend a binding update message to each peer computer and wait to receivea corresponding binding acknowledgement message from each peer computer.In one embodiment, the MTD logic 23, 73 can use static shared key duringthe binding update procedure. In another embodiment, the MTD logic 23,73 can use Internet Protocol Security (IPsec) with Internet Key Exchange(IKE) during the binding update procedure. Both security methods mayalso be used for transmitting data packets between the aircraft computer12 and ground station computer 24.

The binding update list 30, 80 of the aircraft computer 12 or the groundstation computer 24 stores information for each binding update sent bythe aircraft computer 12 or the ground station computer 24. The bindingupdate list 30, 80 includes all bindings sent by the aircraft computer12 or the ground station computer 24 either to its home agent (e.g.,router 16, 22) or peer computers. For multiple binding updates sent tothe same destination address, the binding update list 30, 80 can includeonly the most recent binding update sent to that destination address.The binding update list 30,80 can be used to determine whether aparticular packet is sent directly to the peer computer or tunneled viathe home agent. Each entry in the binding update list 30, 80 can includefields for: the IP address of the node to which a binding update wassent; the home address of the aircraft computer 12 or the ground stationcomputer 24 sending the binding update; and the care-of address sent inthat binding update.

The binding cache 28, 78 of the aircraft computer 12 or the groundstation computer 24 records information relating to the bindings ofother nodes or peer computers. Each entry in the binding cache 28, 78can include fields for: the home address of the peer computer providingthe binding information to be entered into the binding cache; and thecare-of address for the peer computer indicated by the home addressfield in the binding cache entry. The home address field in the bindingcache entry is used as the key for searching the binding cache for thedestination address of a packet being sent. Each time the aircraftcomputer 12 or the ground station computer 24 executes a change of itscare-of address, the aircraft computer 12 or the ground station computer24 can send binding update messages to all of the peer computers listedin the binding update list 30, 80.

FIG. 4 shows an embodiment of a process for updating the care-of addressof the aircraft computer 12 or the ground station computer 24. Theprocess begins by generating a new CoA (care-of address) by thecorresponding IP address generator 27, 77 (step 302). The IP addressgenerator 27, 77 can randomly generate a new IP address as the CoA ofthe aircraft computer 12 or the ground station computer 24. The IPaddress generator 27, 77 can create a random 64 bit address and combinethe randomly created address with the highest significant 64 bits of thecurrent CoA to generate the new CoA. In other embodiments, the randomportion of the new CoA and the highest significant bits portion of thenew CoA can be of different bit lengths depending on the size of the CoAand the desired amount randomness to be incorporated into the new CoA.The new CoA is then checked to determine if it is unoccupied, i.e.,available, by sending a neighbor solicitation message before registeringthe new CoA. The MTD logic 23, 73 can then detect if an addresscollision occurred, i.e., the new CoA is being used by another device.If an address collision occurred, the process generates another CoA andchecks to see if it is unoccupied.

If no collision is detected, then the new CoA can be registered (step304). When the new CoA is registered the prior CoA can be maintained inmemory in order for the aircraft computer 12 or the ground stationcomputer 24 to receive messages from peer computers during the updateprocess. The MTD logic 23, 73 can then send a binding update message(step 306) to the peer computers connected to the aircraft computer 12or the ground station computer 24 to inform the peer computers of thenew CoA. In one embodiment, the aircraft computer 12 or the groundstation computer 24 can check its binding cache 28, 78 before sendingthe binding update message in order to send the binding update messagedirectly to the CoAs of the peer computers (i.e., the destinationaddress is the CoA of the peer computer) without having to use any homeagents.

In one embodiment, IPsec should be used for encryption and as a proof ofhome address ownership when sending a binding update message. The peercomputer receiving a binding update message protected by IPsec has proofof home address ownership by the aircraft computer 12 or the groundstation computer 24. When IPsec is used to communicate packets betweentwo peer computers, every packet can contain a simple piece ofinformation (e.g., a security parameter index) that gives access toaddress information for both peers and the shared key. IPsec can be usedfor the route optimization process such that there is not a need for anyhome agent in the network and the home addresses are not accessible.

The aircraft computer 12 or the ground station computer 24 can receive abinding acknowledgement message from each of the peer computers (step308) notifying the aircraft computer 12 or the ground station computer24 that the peer computers have been informed of the new CoA. Once theaircraft computer 12 or the ground station computer 24 has receivedbinding acknowledgements from the peer computers, the aircraft computer12 or the ground station computer 24 can remove the prior CoA frommemory (step 310).

In one embodiment, the process of FIG. 4 can be repeated on apredetermined interval, which can be referred to as a shufflinginterval. The shuffling interval can range from shorter time periodssuch as 5 or 10 seconds (down to about 2 seconds) to longer time periodssuch as 1 or 2 minutes (or greater) depending on the activity at theaircraft computer 12 or the ground station computer 24. During theupdate procedure, the aircraft computer 12 or the ground stationcomputer 24 can be accessed by the peer computers since the aircraftcomputer 12 or the ground station computer 24 maintains the prior CoAduring the update procedure.

In one example, the aircraft computer 12 can send 1000 TCP packets persecond (each packet being 500B (bytes)) to the ground station computer24 over a 50 second time period. The shuffling interval used by theaircraft computer 12 can be 10 seconds. The signaling overhead at anode, per update, can be 268B to about 316B (from the binding updatemessage and the binding acknowledgement message). The data signalingpacket overhead can be 24B (from the IPsec header). As shown in FIG. 5,there is no packet loss in the transmissions over the 50 second timeperiod. In addition, FIG. 5 also shows the shuffling intervaltransitions from the process of FIG. 4.

In an embodiment, the new CoA should be created and announced by abinding update message before removing the previous CoA. The old CoA canbe removed after receiving the binding acknowledgement message(s) fromthe peer computers. The aircraft computer 12 or the ground stationcomputer 24 should generate a new CoA and make sure that the IP addressfor the new CoA is free (e.g., by neighbor solicitation message). Thenthe aircraft computer 12 or the ground station computer 24 should send aping from the new CoA to its router 16, 22 to put the new CoA (with theMAC address) in the router's table, Then the aircraft computer 12 or theground station computer 24 should send the binding update message to thepeer computers and after receiving the binding acknowledgement messagesfrom the peer computers, the aircraft computer 12 or the ground stationcomputer 24 can remove the previous CoA.

Although the figures herein may show a specific order of method steps,the order of the steps may differ from what is depicted. Also, two ormore steps may be performed concurrently or with partial concurrence.Variations in step performance can depend on the software and hardwaresystems chosen and on designer choice. All such variations are withinthe scope of the application. Software implementations could beaccomplished with standard programming techniques, with rule based logicand other logic to accomplish the various connection steps, processingsteps, comparison steps and decision steps.

It should be understood that the identified embodiments are offered byway of example only. Other substitutions, modifications, changes andomissions may be made in the design, operating conditions andarrangement of the embodiments without departing from the scope of thepresent application. Accordingly, the present application is not limitedto a particular embodiment, but extends to various modifications thatnevertheless fall within the scope of the application. It should also beunderstood that the phraseology and terminology employed herein is forthe purpose of description only and should not be regarded as limiting.

What is claimed is:
 1. A method for dynamically updating addresses fornodes of a transportation system, the method comprising: dynamicallygenerating a first Internet Protocol (IP) address for a first node at afirst interval, the first IP address replacing a prior first IP addressfor the first node, wherein the first node is a first component of atransportation system; dynamically generating a second IP address for asecond node at a second interval, the second IP address replacing aprior second IP address for the second node, wherein the second node isa second component of the transportation system in communication withthe first node; communicating, by the first node, the first IP addressto the second node; communicating, by the second node, the second IPaddress to the first node; addressing, by the first node, packets forthe second node with the second IP address received from the secondnode; and addressing, by the second node, packets for the first nodewith the first IP address received from the first node.
 2. The method ofclaim 1, wherein the communicating the first IP address includes:sending a binding update message with the first IP address to the secondnode; and receiving, by the first node, a binding acknowledgement fromthe second node indicating that the second node has received the firstIP address from the first node.
 3. The method of claim 2, furthercomprising: accepting, by the first node, packets from the second nodeusing the first IP address upon receipt of the binding acknowledgementby the first node; and rejecting, by the first node, packets from thesecond node using the prior first IP address upon receipt of the bindingacknowledgement by the first node.
 4. The method of claim 2, furthercomprising accepting, by the first node, packets from the second nodeusing the prior first IP address after sending the binding updatemessage to the second node.
 5. The method of claim 2, furthercomprising: storing, by the first node, the prior first IP address inmemory in response to the generation of the first IP address; anddeleting, by the first node, the prior first IP address from the memoryin response to the receipt of the binding acknowledgement.
 6. The methodof claim 2, wherein the sending the binding update message includes:searching a binding cache, by the first node, for the second IP addressused by the second node; and inserting the second IP address used by thesecond node as a destination address of the binding update message. 7.The method of claim 2, further comprising storing, by the first node,information relating to the sending the binding update message to thesecond node in a binding update list.
 8. The method of claim 1, whereinthe communicating the second IP address includes: sending a bindingupdate message with the second IP address for the second node to thefirst node; receiving, by the second node, a binding acknowledgementfrom the first node indicating that the first node has received thesecond IP address for the second node.
 9. The method of claim 8, furthercomprising: accepting, by the second node, packets from the first nodeusing the second IP address for the second node upon receipt of thebinding acknowledgement by the second node; and rejecting, by the secondnode, packets from the first node using the prior second IP address forthe second node upon receipt of the binding acknowledgement by thesecond node.
 10. A transportation system comprising: a plurality ofvehicles, each vehicle of the plurality of vehicles having acorresponding vehicle computer configured to control operation of thevehicle; a control station computer communicatively coupled to eachvehicle computer of the plurality of vehicles by a network, the controlstation computer configured to control a path of each vehicle of theplurality of vehicles; each vehicle computer having a vehicle addresswhen communicating with the control station computer, each vehiclecomputer configured to dynamically change the vehicle address at a firstinterval; the control station computer having a control station address,the control station computer configured to dynamically change thecontrol station address at a second interval; and wherein each vehiclecomputer is configured to use the control station address whenaddressing packets to the control station computer and the controlstation computer is configured to use the corresponding vehicle addresswhen addressing packets to a vehicle computer.
 11. The transportationsystem of claim 10, wherein the plurality of vehicles comprise at leastone of a plurality of aircraft, a plurality of trains or a plurality ofbuses.
 12. The transportation system of claim 10, wherein each vehiclecomputer is configured to execute a binding update process when changingthe corresponding vehicle address from a prior vehicle address to a newvehicle address, each vehicle computer configured to receive packetsusing the prior vehicle address from the control station computer duringthe binding update process.
 13. The transportation system of claim 12,wherein each vehicle computer is configured to send a correspondingvehicle binding update message to the control station computer duringthe binding update process, and the control station computer isconfigured to send a vehicle binding acknowledgement to a correspondingvehicle computer in response to receiving the vehicle binding updatemessage.
 14. The transportation system of claim 13, wherein each vehiclecomputer is configured to end the binding update process in response toreceiving the vehicle binding acknowledgement from the control stationcomputer.
 15. The transportation system of claim 12, wherein the controlstation computer is configured to execute a binding update process whenchanging the control station address from a prior control stationaddress to a new control station address, the control station computerconfigured to receive packets using the prior control station addressfrom each vehicle computer during the binding update process.
 16. Thetransportation system of claim 15, wherein the control station computeris configured to send a control station binding update message to eachvehicle computer during the binding update process, and each vehiclecomputer is configured to send a control station binding acknowledgementto the control station computer in response to receiving the controlstation binding update message.
 17. The transportation system of claim16, wherein the control station computer is configured to end thebinding update process in response to receiving the control stationbinding acknowledgement from each vehicle computer.
 18. Thetransportation system of claim 10, wherein: each vehicle computercomprises a first binding cache storing the control station address,each vehicle computer configured to retrieve the control station addressin the first binding cache when sending a packet to the control stationcomputer; and the control station computer comprises a second bindingcache storing each vehicle address for each vehicle computer of theplurality of vehicles, the control station computer configured toretrieve the corresponding vehicle address in the second binding cachewhen sending a packet to a vehicle computer.